Showing with 47 additions and 42 deletions.
  1. +6 −0 Changes
  2. +3 −19 README.md
  3. +10 −10 configure
  4. +1 −1 configure.ac
  5. +6 −0 debian/changelog
  6. +1 −1 docker/alpine/Dockerfile
  7. +5 −4 src/acl.h
  8. +1 −1 src/encrypt.h
  9. +1 −0 src/jconf.h
  10. +13 −6 src/server.c
6 Changes
View file
@@ -1,3 +1,9 @@
shadowsocks-libev (2.5.5-1) unstable; urgency=medium

* Refine attack detection.

-- Max Lv <max.c.lv@gmail.com> Tue, 11 Oct 2016 15:45:09 +0800

shadowsocks-libev (2.5.4-1) unstable; urgency=medium

* Fix a bug of auto blocking mechanism.
22 README.md
View file
@@ -9,7 +9,7 @@ It is a port of [Shadowsocks](https://github.com/shadowsocks/shadowsocks)
created by [@clowwindy](https://github.com/clowwindy), which is maintained by
[@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).

Current version: 2.5.4 | [Changelog](debian/changelog)
Current version: 2.5.5 | [Changelog](debian/changelog)

Travis CI: [![Travis CI](https://travis-ci.org/shadowsocks/shadowsocks-libev.svg?branch=master)](https://travis-ci.org/shadowsocks/shadowsocks-libev)

@@ -258,24 +258,8 @@ service shadowsocks_libev start

### OpenWRT

**Note**: You may want to use [openwrt-shadowsocks](https://github.com/shadowsocks/openwrt-shadowsocks)
, which is developed specifically for OpenWRT.

```bash
# At OpenWRT build root
pushd package
git clone https://github.com/shadowsocks/shadowsocks-libev.git
popd
# Enable shadowsocks-libev in network category
make menuconfig
# Optional
make -j
# Build the package
make V=99 package/shadowsocks-libev/openwrt/compile
```
The OpenWRT project is maintained here:
[openwrt-shadowsocks](https://github.com/shadowsocks/openwrt-shadowsocks).

### OS X
For OS X, use [Homebrew](http://brew.sh) to install or build.
20 configure
View file
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for shadowsocks-libev 2.5.4.
# Generated by GNU Autoconf 2.69 for shadowsocks-libev 2.5.5.
#
# Report bugs to <max.c.lv@gmail.com>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='shadowsocks-libev'
PACKAGE_TARNAME='shadowsocks-libev'
PACKAGE_VERSION='2.5.4'
PACKAGE_STRING='shadowsocks-libev 2.5.4'
PACKAGE_VERSION='2.5.5'
PACKAGE_STRING='shadowsocks-libev 2.5.5'
PACKAGE_BUGREPORT='max.c.lv@gmail.com'
PACKAGE_URL=''

@@ -1359,7 +1359,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures shadowsocks-libev 2.5.4 to adapt to many kinds of systems.
\`configure' configures shadowsocks-libev 2.5.5 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1430,7 +1430,7 @@ fi

if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of shadowsocks-libev 2.5.4:";;
short | recursive ) echo "Configuration of shadowsocks-libev 2.5.5:";;
esac
cat <<\_ACEOF
@@ -1567,7 +1567,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
shadowsocks-libev configure 2.5.4
shadowsocks-libev configure 2.5.5
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2090,7 +2090,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by shadowsocks-libev $as_me 2.5.4, which was
It was created by shadowsocks-libev $as_me 2.5.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4329,7 +4329,7 @@ fi

# Define the identity of the package.
PACKAGE='shadowsocks-libev'
VERSION='2.5.4'
VERSION='2.5.5'


cat >>confdefs.h <<_ACEOF
@@ -16778,7 +16778,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by shadowsocks-libev $as_me 2.5.4, which was
This file was extended by shadowsocks-libev $as_me 2.5.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -16844,7 +16844,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
shadowsocks-libev config.status 2.5.4
shadowsocks-libev config.status 2.5.5
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
2 configure.ac
View file
@@ -2,7 +2,7 @@ dnl -*- Autoconf -*-
dnl Process this file with autoconf to produce a configure script.

AC_PREREQ([2.67])
AC_INIT([shadowsocks-libev], [2.5.4], [max.c.lv@gmail.com])
AC_INIT([shadowsocks-libev], [2.5.5], [max.c.lv@gmail.com])
AC_CONFIG_SRCDIR([src/encrypt.c])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_AUX_DIR(auto)
6 debian/changelog
View file
@@ -1,3 +1,9 @@
shadowsocks-libev (2.5.5-1) unstable; urgency=medium

* Refine attack detection.

-- Max Lv <max.c.lv@gmail.com> Tue, 11 Oct 2016 15:45:09 +0800

shadowsocks-libev (2.5.4-1) unstable; urgency=medium

* Fix a bug of auto blocking mechanism.
2 docker/alpine/Dockerfile
View file
@@ -5,7 +5,7 @@
FROM alpine
MAINTAINER kev <noreply@datageek.info>

ARG SS_VER=2.5.4
ARG SS_VER=2.5.5
ARG SS_URL=https://github.com/shadowsocks/shadowsocks-libev/archive/v$SS_VER.tar.gz

ENV SERVER_ADDR 0.0.0.0
9 src/acl.h
View file
@@ -26,10 +26,11 @@
#define BLACK_LIST 0
#define WHITE_LIST 1

#define MAX_TRIES 128
#define ATTACK 8
#define BAD 4
#define MALFORMED 1
#define MAX_TRIES 64
#define MALICIOUS 8
#define SUSPICIOUS 4
#define BAD 2
#define MALFORMED 1

int init_acl(const char *path);
void free_acl(void);
2 src/encrypt.h
View file
@@ -145,7 +145,7 @@ typedef struct {
#define CHACHA20IETF 20

#define ONETIMEAUTH_FLAG 0x10
#define ADDRTYPE_MASK 0xF
#define ADDRTYPE_MASK 0xEF

#define ONETIMEAUTH_BYTES 10U
#define CLEN_BYTES 2U
1 src/jconf.h
View file
@@ -27,6 +27,7 @@
#define MAX_CONF_SIZE 128 * 1024
#define MAX_DNS_NUM 4
#define MAX_CONNECT_TIMEOUT 10
#define MAX_REQUEST_TIMEOUT 60
#define MIN_UDP_TIMEOUT 10

#define TCP_ONLY 0
19 src/server.c
View file
@@ -233,6 +233,8 @@ parse_header_len(const char atyp, const char *data, size_t offset)
} else if ((atyp & ADDRTYPE_MASK) == 4) {
// IP V6
len += sizeof(struct in6_addr);
} else {
return 0;
}
len += 2;
return len;
@@ -262,6 +264,8 @@ is_header_complete(const buffer_t *buf)
} else if ((atyp & ADDRTYPE_MASK) == 4) {
// IP V6
header_len += sizeof(struct in6_addr);
} else {
return 0;
}

// len of port
@@ -612,6 +616,7 @@ server_recv_cb(EV_P_ ev_io *w, int revents)
// wait for more
return;
}

} else {
buf->len = r;
}
@@ -620,7 +625,7 @@ server_recv_cb(EV_P_ ev_io *w, int revents)

if (err) {
LOGE("invalid password or cipher");
report_addr(server->fd, ATTACK);
report_addr(server->fd, MALICIOUS);
close_and_free_remote(EV_A_ remote);
close_and_free_server(EV_A_ server);
return;
@@ -730,7 +735,7 @@ server_recv_cb(EV_P_ ev_io *w, int revents)
size_t header_len = parse_header_len(atyp, server->buf->array, offset);
size_t len = server->buf->len;

if (len < offset + header_len + ONETIMEAUTH_BYTES) {
if (header_len == 0 || len < offset + header_len + ONETIMEAUTH_BYTES) {
report_addr(server->fd, MALFORMED);
close_and_free_server(EV_A_ server);
return;
@@ -1000,7 +1005,7 @@ server_timeout_cb(EV_P_ ev_timer *watcher, int revents)
LOGI("incomplete header: %zu", len);
#endif
}
report_addr(server->fd, ATTACK);
report_addr(server->fd, SUSPICIOUS);
}

close_and_free_remote(EV_A_ remote);
@@ -1335,10 +1340,13 @@ new_server(int fd, listen_ctx_t *listener)
server->d_ctx = NULL;
}

int request_timeout = min(MAX_REQUEST_TIMEOUT, listener->timeout)
+ rand() % MAX_REQUEST_TIMEOUT;

ev_io_init(&server->recv_ctx->io, server_recv_cb, fd, EV_READ);
ev_io_init(&server->send_ctx->io, server_send_cb, fd, EV_WRITE);
ev_timer_init(&server->recv_ctx->watcher, server_timeout_cb,
min(MAX_CONNECT_TIMEOUT, listener->timeout), listener->timeout);
request_timeout, listener->timeout);

balloc(server->buf, BUF_SIZE);
balloc(server->header_buf, BUF_SIZE);
@@ -1433,7 +1441,6 @@ accept_cb(EV_P_ ev_io *w, int revents)
}

char *peer_name = get_peer_name(serverfd);

if (peer_name != NULL) {
if (check_block_list(peer_name, 0)) {
LOGE("block all requests from %s", peer_name);
@@ -1442,7 +1449,7 @@ accept_cb(EV_P_ ev_io *w, int revents)
}
if (acl) {
if ((get_acl_mode() == BLACK_LIST && acl_match_host(peer_name) == 1)
|| (get_acl_mode() == WHITE_LIST && acl_match_host(peer_name) >= 0)) {
|| (get_acl_mode() == WHITE_LIST && acl_match_host(peer_name) >= 0)) {
LOGE("Access denied from %s", peer_name);
close(serverfd);
return;